The Veterans Affairs Department's recent loss of veterans' personal data highlights a broader question that has rattled around Washington for 10 years: the need to update the Privacy Act of 1974.

While Congress improved pieces of the legislation with the E-Government Act of 2002, and the Office of Management and Budget has tried to make enhancements through policy, some experts and lawmakers are calling for the VA incident to spur changes to the 22-year-old mandate.

'The federal government has failed to update its policies and procedures for protecting the personal information of Americans,' said Sen. Daniel Akaka (D-Hawaii), ranking member of the Veterans' Affairs Committee.

Congress has mandated that agencies have chief privacy officers and has created the Privacy and Civil Liberties Oversight Board. But it hasn't given them real enforcement powers, nor has it reviewed privacy laws to ensure that they are still effective, Akaka said.

He has asked the Senate Homeland Security and Governmental Affairs Committee to hold hearings on the Privacy Act to develop legislation to improve the protection of personal information collected and used by the federal government.

He recently introduced legislation to strengthen the powers of the Homeland Security Department's chief privacy officer, and he may expand his bill to all agencies.

Sen. Susan Collins (R-Maine), chairwoman of the committee, would not say if the committee would look at the Privacy Act. But she did say the committee would review the Federal Information Security Management Act reports and Privacy Act reports to see if other agencies lack controls, as VA did.

But Robert Gellman, a privacy expert and GCN columnist, said that while the Privacy Act needs to be updated, that would not have solved VA's problem.

'What is needed is appropriate security measures,' he said. 'At some level you can't protect against people, because people don't always follow the rules. If the information was encrypted in the first place, then none of this is a big deal.'

Gellman added that it may take Congress two or three years to update the act, and then there only is a 50-50 chance they would make it better.

'This is a policy issue,' Gellman said. 'People only should have access to information when they need to, and take data out of the office when absolutely necessary. A lot of activity needs to be regulated at the practice level and not at the policy or statutory level.'